1. Field of the Invention
The invention relates generally to smartcards and more particularly to a process for securely customizing a smartcard chip with software.
2. Background Art
Production Process
A production process for customizing a smartcard with software generally comprises 4 phases: masking, pre-customization, card mounting and customization.
Referring to FIG. 1, a smartcard chip 100 is schematically represented. The smartcard chip 100 carries a Read Only Memory (ROM) module, an EEPROM module of rewritable memory, a Random Access Memory (RAM), a Central Processing Unit (CPU) and an Input/Output (IO) interface for communication of data.
Masking and Pre-customization
During the masking process, a client wishes to obtain a smartcard that contains a specific software and pre-customization information in the smartcard chip's memories (ROM, EEPROM). The software is generally at least partly stored in the appropriate memory by the chip manufacturer at the issue of a wafer manufacturing process by means of a process known as masking. The client provides the chip manufacturer with the software to store into ROM and with pre-customization information to store into EEPROM. The chip manufacturer performs the masking process by which the software and pre-customization information are stored as appropriate.
The pre-customization information stored in EEPROM generally corresponds to a transport key that is part of a strategy to prevent fraudulous use of the masked smartcard chip. The transport key is required as an input at a first execution of the software contained in the ROM in order to render the software fully operational. In other words, the software stored in the ROM is protected, since it may not be executed properly without knowing the transport key.
The transport key may only be recovered from EEPROM using a Security Access Module (SAM). Hence the masked smartcard chip is effectively useless for a potential thief. Generally the masked chip may merely receive and execute a limited number of commands without knowing the transport key, including for example a RESET command or an electrical test command of the chip.
After the masking process, the smartcard chip with the software corresponds to specifications of the client, i.e., the smartcard chip may receive and process commands as specified for the client's product provided the transport key is available.
Card Mounting and Customization
The manufacturer sends masked smartcard chips on a wafer to a card mounter who mounts the smartcard chips on smartcard supports. The card mounter performs all final process steps to obtain a smartcard. These final process steps may included printing a pattern on the smartcard and customization of the chip according to client's instructions. Customization of the chip starts with an electrical test of the chip and may comprise implementing additional commands in the memories of the chip.
In order to implement additional commands on the chip it is necessary to execute the software which enables commands for writing data to the chip memories. The card mounter recovers the transport key from the EEPROM by means of a Security Access Module (SAM) and uses the key to execute the software stored in ROM and thereby access commands to write the additional commands in memory.
There may be a further customization step to perform by the client. In this case the client receives the smartcards from the card mounter and uses a SAM to recover the transport key. The latter is used to execute the software in a similar way as was done by the card mounter and to subsequently write custom information into chip memories.
The described process of masking suffers a security problem in that both the entire software and the secret transport key are provided to the chip manufacturer by the client. In case the secret transport key is misused by the manufacturer or stolen from the manufacturer in view of executing the software, the masked chip may potentially be used and/or sold illegally and cause damages to the client.
In addition there is a security problem which occurs when the card mounter recovers the transport key. Here also the transport key may potentially be misused.
Furthermore there is a risk that the software code is misused by the manufacturer or stolen from the manufacturer, and that illegal copies of the software be sold, thereby causing damages to the client.